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Abstract. We propose a set theory strong enough to interpret powerful type theories 
underlying proof assistants such as LEGO and also possibly Coq, which at the same time 
enables program extraction from its constructive proofs. For this purpose, we axiomatize 
an impredicative constructive version of Zermelo-Fraenkel set theory IZF with Replacement 
and oi-many inaccessibles, which we call IZF^^. Our axiomatization utilizes set terms, an 
inductive definition of inaccessible sets and the mutually recursive nature of equality and 
membership relations. It allows us to define a weakly-normalizing typed lambda calculus 
corresponding to proofs in IZF_r„ according to the Curry-Howard isomorphism principle. 
We use realizability to prove the normalization theorem, which provides a basis for program 
extraction capability. 



1. Introduction 

Since the advent of proofs-as-programs paradigm, also called propositions-as-types or 
Curry-Howard isomorphism, many systems with program extraction capability have been 
built. Lego [LP92] . Agda/Alfa [CoqlEill, Coq |The04j . Nuprl |C+86| . Minlog [BBS+98 



to name a few. Some are quite powerful — for example Coq can interpret an intuitionistic 
version of Zermelo's set theory |Wer97j . With such power at hand, these systems have the 
potential of becoming very useful tools. 

There is, however, one problem they all share, namely their foundational basis. In order 
to use Coq or Nuprl, one has to master the ways of types, a setting quite different from 
the set theory, the standard framework for doing mathematics. A newcomer to this world, 
presented even with 11 and S types emulating familiar universal and existential quantifiers, 
is likely to become confused. The fact that the consistency of the systems is usually justified 
by a normalization theorem in one form or other, does not make the matters easier. Even 
when set-theoretic semantics is provided, it does not help much, given that the translation of 
"the stamement Vx : nat, (j){x) is provable" is "the set n„gN[(/)[2; := n]] is inhabited", instead 
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of expected "for all a; € N, (j){x) holds". The systems which are not based on type theory 
share the problem of unfamiliar foundations. This is a serious shortcoming preventing the 
systems from becoming widely used, as the initial barrier to cross is set quite high. 

In |Moc06a] we have made the first step to provide a solution to this problem, by pre- 
senting a framework enabling extraction of programs from proofs, while using the standard, 
natural language of set theory. That framework was based on the intuitionistic set theory 
IZF with Replacement, called IZF/j. Roughly speaking, IZF/j is what remains from Zermelo- 
Fraenkel set theory ZF after carefully removing the excluded middle, while retaining the 
axioms of Power Set and unrestricted Separation. The detailed e xposi tion can be found 
in Section [3l For more information on IZF and bibliography see (S85 , IBee85j . We have 
defined a lambda calculus XZ corresponding to proofs in an intensional version of IZF/? and 
using realizability we have shown that XZ weakly normalizes. By employing an inner model 
of extensional set theory, we have used the normalization result to show that IZF^j enjoys 
the standard properties of constructive theories — the disjunction, numerical existence, set 
existence and term existence properties (DP, NEP, SEP and TEP). These properties can be 
used to extract programs from proofs |CM06j . All of them, apart from SEP, are essential 
to the extraction process. However, even though IZFr is quite powerful, it is unclear if 
it is as strong as type theories underlying the systems of Coq and LEGO, Calculus of In- 
ductive Constructions (CIC) and Extended Calculus of Constructions (ECC), as all known 
set-theoretical interpretations use w-many strongly inaccessible cardinals |Wer97^ IAcz99] . 

We therefore axiomatize IZF with Replacement and w-many inaccessible sets, which we 
call IZFa^. Our axiomatization uses an inductive definition of inaccessible sets. IZF/j^ ex- 
tended with excluded middle is equivalent to ZF with cj-many strong inaccessible cardinals. 
By utilizing the mutually recursive nature of equality and membership relation, we avoid 
the need for the inner model and define a lambda calculus XZ^ corresponding directly to 
proofs in IZF . We prove its normalization using realizability. As in |Moc06a] , normaliza- 
tion can be used to show DP, NEP, SEP and TEP. While DP and NEP have been proved 
for even stronger theories in |FS84j . our method is the first to provide the proof of TEP 
and SEP for intuitionistic set theory with inaccessible sets. 

Inaccessible sets perform a similar function in a constructive setting to strongly inac- 
cessible cardinals in the classical world and universes in type theories. They are "large" 
sets/types, closed under certain operations ensuring that they give rise to models of set /type 
theories. The closure conditions largely coincide in both worlds and an inaccessible can be 
used to provide a set-theoretic intepretation of a universe jWer971 IAcz99j . Both CIC and 
ECC have w-many universes. By results of Aczel |Acz99j . IZFfi^ is strong enough to inter- 
pret ECC. It is reasonable to expect that CIC could be interpreted too, as the inductive 
types in CIC need to satisfy positivity conditions and sufficiently strong inductive definitions 
are available in IZF/j(^ due to the presence of the Power Set and unrestricted Separation 
axioms. Indeed, Werner's set-theoretic interpretation |Wer97j of a large fragment of CIC 
uses only the existence of inductively-defined sets in the set-theoretic universe to interpret 
inductively-defined types. 

Our normalization result makes it possible to extract programs from proofs, using 
techniques described in [CM06j . Thus IZFa^ has all the proof-theoretic power of LEGO 
and likely Coq, uses familiar set-theoretic language and enables program extraction from 
proofs. This makes it an attractive basis for a powerful and easy to use theorem prover. 

This paper is mostly self-contained. We assume some familiarity with set theory, proof 
theory and programming languages terminology, found for example in [KunSOt ISU061 IPie02] . 
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The paper is organized as follows. In section [2] we present the intuitionistic first-order 
logic. We axiomatize IZF with Replacement and w-many inaccessibles in sections [3] and [H 
In section [5] we define the calculus and prove its standard properties. Realizability is 
defined in section [6] and used to prove normalization in section [71 We describe related work 
in section [51 



2. Intuitionistic first-order logic 

We start with a detailed presentation of the intuitionistic first-order logic (IFOL). We 
use a natural deduction style of proof rules. The terms will be denoted by letters t, s, u. 
The logical variables will be denoted by letters a, 6, c, d, e, /. The notation a denotes a finite 
sequence, treated as a set when convenient. The i-th element of a sequence is denoted by 
Oj. We consider a-equivalent formulas equal. The capture-avoiding substitution is defined 
as usual; the result of substituting s for a in a term t is denoted by t\a := s\. We write 
'■ — 'Si, • • •) Sri\ to denote the result of substituting simultaneously si, . . ., for 
ai,...,an. Contexts, denoted by F, are sets of formulas. The free variables of a formula 
(;/), denoted by FVij^^^ are defined as usual. The free variables of a context F, denoted by 
FV{T\ are the free variables of all formulas in F. The notation ^{a) means that all free 
variables of ^ are among a. The proof rules are as follows: 

fT^M F h V F h ^ V 

F h Wj) F h A V> F h (/) A V; 
F h (/) A F h F h V 

Fh</. FhV Fh0V^ F,(/)hi9 V,i)V-d 



Fl-ci. , FhVa. (/> -rui 



F h Va. (/> ^ ^ ' F h 0[a := t] F h </> 

Fh3a.,^ FM^ " ^ ^ 

Negation in IFOL is an abbreviation: -k/) = (/> — s- _L. So is the symbol ^: (p ^ ip = 
{(p ^ ip A tp ^ 4>) . Note that IFOL does not contain equality. The excluded middle rule 
added to IFOL makes it equivalent to the classical first-order logic without equality. 

Lemma 2.1. For any formula cp, (p[a := t]\b := u[a := t]] = (p\b := u\[a := t], forb ^ FV{t). 

Proof. Straightforward structural induction on (p. □ 



3- IZF^^^ 

In this section we introduce our first approximation to IZF/j, called IZF^, which is 
IZF/j from |Moc06a] extended with the axioms postulating the existence of inaccessible 
sets. We start by presenting the axioms of IZF^. It is a first-order theory. When extended 
with excluded middle, it is equivalent to ZF. The signature consists of two binary relational 
symbols G,= and function symbols used in the axioms below. The symbols and S{a) 
are abbreviations for and |J{a, {a, a}}. Bounded quantifiers and the quantifier 3\a (there 
exists exactly one a) are also abbreviations defined in the standard way. 
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• (EXT) Va, h. a = b ^ Vc. c a ^ c b 
. (L^) Va, b,f.a = bA ^{a, f) ^ <j){b, f) 

• (EMPTY) Vc. c G ^ ± 

• (PAIR) Va, &Vc. c& {a,b} ^ c = ay c = b 

• (INF) Vc. c G w ^ c = V 36 € c = 5(6) 

• (SEP^) V/VaVc. c G 5^(a, / ) ^ c G a A 0(c, /) 

• (UNION): VaVc. cGUa^36Ga. cG6 

• (POWER) VaVc. c G P(a) ^V6. 6Gc^6Ga 

• (REP^) V/, aVc. c G i?^(a, /) ^ (Vx G a3!y. </.(x, y, /)) A (3x G a. (/)(x, c, /)) 
. (IND^) v/.(Va.(V6 G a. </.(6,/)) ^ </.(a,/)) ^ Va. <A(a,/) 

The axioms (SEP^), (REPL,^), (IND^) and (L,^) are axiom schemas — there is one 
axiom for each formula (j). Note that there are terms and for each instance of the 
Separation and Replacement axioms. Formally, terms and formulas are defined by mutual 
induction: 

(t)::=tet\t = t\... t ::= a \ {t,t} \ S^{t,i) \ R^(t,i) \. . . 

The axioms (EMPTY), (PAIR), (INF), (SEP^), (UNION), (POWER) and (REPL,^) aU 
assert the existence of certain classes and have the same form: Va.Vc. c G iyi(a) ^ 4'Aic, a), 
where is a function symbol and (pA a corresponding formula for the axiom (A). For 
example, for (POWER), t power is P and (ppowER is V6. 6 G c ^ 6 G a. We reserve the 
notation and (pA to denote the term and the corresponding formula for the axiom (A). 

The terms S^{t,i) and R^{t,i) could be displayed as {c G t | (j){c,t)} and {c | (Vx G 
t3\y(f){x,y,i)) A (3x G t. (f>{x,c,t))}, respectively. 

3.1. On the axioms of IZF/j. 

3.1.1. The Leibniz axiom. The Leibniz axiom (L,^) is usually not present among the axioms 
of set theories, as it is assumed that logic contains equality and the axiom is a proof rule. 
We include (L^) among the axioms of IZFr, because there is no obvious way to add it to 
intuitionistic logic in the Curry-Howard isomorphism context, as its computational content 
is unclear. 

3.1.2. The Replacement axiom. A more familiar formulation of Replacement could be: "For 
all F, A, if for all x G A there is exactly one y such that <j){x, y, F) holds, then there is a 
set D such that Vx G A3y G D. (j){x,y,F) and for all d G -D there is x G A such that 
(j){x,d, F)" . Let this formulation of Replacement be called (REPLO^), let {R(f,) be the 
term-free statement of our Replacement axiom, that is: 

{R(j,) = V/, a3ld. Vc. c G d ^ (Vx G a3\y. 0(x, y, /)) A (3x G a. (p{x, c, /)) 

and let IZ denote IZF/j without the Replacement axiom and corresponding function symbols. 
To justify our definition of Replacement, we prove the following two lemmas: 

Lemma 3.1. IZ h (R^) ^(REPL%). 
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Proof. Assume (R,^), take any F,A and suppose that for all x £ A there is exactly one y 
such that cj){x,y,F). Let D be the set we get by applying (R^). Take any x £ A, then 
there is y such that y,F), so y £ D. Moreover, d £ D then there is x £ A such that 
(l){x,d,F). This shows (REPLO^). □ 

Lemma 3.2. IZ h (REPLO^) -^(R<p). 

Proof. Assume (REPLO^), take any F,A and consider the set 

B = {a£A\\fx£ A3\y. (j){x,y,F)}. 

Then for all 6 € i? there is exactly one y such that (j){b,y,F). Use (REPLO^) to get a set 
D. Then D is the set we are looking for. Indeed, ii d £ D, then there is b £ B such that 
(t)(h,d,F) and so by the definition of B, Mx £ ^3!y. (j){x,y,F) and b £ A. On the other 
hand, take any d and suppose that Vx £ A3\y. 4>{x,y,F) and there is x S ^ such that 
(j){x, d, F). Then x £ B, so there is y' £ D such that (j){x, y', F). But y' must be equal to d, 
so d £ D. As it is trivial to see that D is unique, the claim follows. □ 



3.1.3. The terms of IZFji. The original presentation of IZF with Replacement presented in 
|Myh73| is term- free. Let us call it IZF/jq- We will now show that IZF/j is a definitional 
extension of IZF/jo- 

In IZF/jo for each axiom (A) among the Empty Set, Pairing, Infinity, Separation, Re- 
placement, Union and Power Set axioms, we can derive Va3!(iVc. c G d <-> (^a(c, o), using 
Lemma 13.21 in case of the Replacement axiom. We therefore definitionally extend IZFrq, 
by introducing for each such (A) the corresponding new function symbol tA{a) along with 
the defining axiom VoVc. c £ tyi(a) (Aa(c, a). 

We then need to provide the Separation and Replacement function symbols R^ and S^p, 
where (p may contain the new terms. To fix our attention, consider the Separation axiom. 
For some function symbol 5^, we need to have: 

V/, aVc. c £ S^{a, f) ^ c £ a A (t){c, /) 

As all terms present in tj) were introduced via a definitional extension of IZFi^Oj there is a 
term-free formula (j)' equivalent to (j). We therefore have: 

V/, aVc. c£ S^>{a,f) ^ c£aA (j)'{c, f) 

and consequently: 

V/, aVc. c £ S^^{a, f) ^ c £ a A (j){c, f) 
We define to be S^i. Similarly, we can define Rcf, to be R^i. After iterating this process 
a;-many times, we obtain all instances of terms and axioms (A) present in YLFn. 

It remains to derive the Leibniz and ^-Induction axioms for formulas with terms. For 
the Leibniz axiom, take any A,B,F and suppose A = B and (l){A,F). Then there is a 
term-free formula (j)' equivalent to (j), so also (f)'{A,F). By the Leibniz axiom in IZFi^O) 
(j)'{B,F), so also (t){B,F). 

For the €-Induction axiom, take any F and suppose: 

Va. (V6 £ a. ^{b,F)) (p{a,F) 
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Taking (j)' to be the term-free formula equivalent to (f), we get: 

Ma. (V6 G a. ^'{b,F)) (j)'{a,F) 
By €-Induction in IZF/jq, we get Va. (p'{a,F), thus also Va. (p{a,F). 

3.2. Inaccessible sets. To extend IZF^ with inaccessible sets, we add a family of axioms 
(INACj) for i > 0. We call the resulting theory IZF^. The axiom (INACj) asserts the 
existence of the i-th inaccessible set, denoted by a new constant symbol Vi, and is defined 
as follows: 

(IN AC,) Vc. c€Vi^ (p\{c, Vi) A Vd. (I)i{d) c £ d 
Following the conventions set up for IZF/j, (piNAdic) is (p\{c, Vi) A Vd. (p^^d) c £ d. The 
formula d) intuitively sets up conditions for c being a member of V^, while (t)2{d) says 
what it means for d to be inaccessible. To streamline the definition, we set Vq to abbreviate 

UJ. 

Definition 3.3. The formula Vi) for i > is a disjunction of the following five clauses: 

(1) c = Vi.i 

(2) there is a G such that c G a. 

(3) there is a G such that c is a union of a. 

(4) there is a G such that c is a power set of a. 

(5) there is a G such that c is a function from a to V^. 

Definition 3.4. The formula <^2(^) ^ > is a conjunction of the following five clauses: 

(1) Vi.i G d. 

(2) MeJ. eedAf ee^ f ed. 

(3) Ve G d. U e G d. 

(4) Ve G d. P(e) G d. 

(5) Me ^ d.M f ^ e ^ d. f ^ d, where e ^ d denotes the set of all functions from e to d. 

Briefly, the i-th inaccessible set is the smallest transitive set containing Vi__i and closed 
under unions, power sets and taking functions from its elements into itself. It is easy to see 
that IZF^+ EM is equivalent to ZF with w-many strongly inaccessible cardinals. For a 
theory T, let M(T) denote a sentence "T has a model". To show that the set Vi defined by 
(INACj) behaves as an inaccessible set in IZF^^ we prove: 

Theorem 3.5 (IZF^^). For all i > 0, V ^IZFr+ M(IZFr) + M(IZFr+ M(IZFr)) + ... 
(i times). 

Proof. By Clause 2 in the Definition 13.31 is transitive, so the equality and membership 
relations are absolute. Clause 1 gives us w G Vi and since its definition is Aq, Vi |=(INF). 
Clauses 3 and 4 provide the (UNION) and (POWER) axioms. Transitivity then gives (SEP) 
and (PAIR), while Clause 5, thanks to Lemma 13.21 gives (REPL^). The existence of the 
empty set follows by (INF) and (SEP). For the Induction axiom, we need to show: 

V/ G V. {Ma G V. (Mb G 6 G a ^ 0^'(^ /)) ^ ^^'{a, /)) ^ Va G V.^^^{a, f) 
Take any F G Vj. It suffices to show that: 

(Va. a G l/j ^ (V6. 6 G V- ^ 6 G a ^ (/)^»(6, F)) 0^»(a, F)) ^ Va. a G V- ^ 0^'(a, F) 
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This is equivalent to: 

(Va. (V6. b £ a ^ b £ Vi ^ (p^'ib, F)) ^ a e Vi ^ 0^»(a, F)) ^ Va. a G V- ^ 0^»(a, F) 

But this is the instance of the induction axiom for the formula a € — > (/"^'(a, /)• 

Thus Vi ^IZFr. Since Vi G T/2, ^"2 N IZF/j,+ M(IZFr). Since V2 G 1^3, 1^3 hIZFR+ 
M(IZFjj+ M(IZF/j)). Proceeding in this manner by induction we get the claim. □ 

4. IZFr^ 

We now present our final axiomatization of IZF with Replacement and inaccessible 
sets, which we call IZF^^. The advantage of this axiomatization over the previous one is 
that equality and membership are defined in terms of each other, instead of being taken for 
granted and axiomatized with Extensionality and Leibniz axioms. This trick, which amounts 
to interpreting an extensional set theory in an intensional one, has already been used by 
Friedman in |Fri73j . As we shall see later, this makes it possible to prove a normalization 
theorem directly for the theory, thus avoiding the need for the detour via the class of 
transitively-L-stable sets used in |Moc06a] . 

The signature of IZFa^ consists of three relational symbols: S7,S,= and terms of 
IZF^^. The axioms of IZF/j^u are as follows: 

• (IN) ya,b. a e b ^ 3c. c ei b A a = c 

• (EQ) ya,b. a = b ^yd. {d ei a ^ d eb) A{d ei b ^ d e a) 
. (IND^) V/:(Va.(V6 G/ a.cj){b, /)) ^ 0(a, /)) ^ Va.</.(a, /) 

• (A) Va. Vc. c G/ tA{d) ^ ^a{c, a), for (A) being one of (EMPTY), (PAIR), (INF), (SEP<^), 
(UNION), (POWER), (REPL^), (IN AC,). For example, the Power Set axiom has a form: 
VaVc. c G/ -P(a) ^ V6. 6 G c — > 6 G a. 

The extra relational symbol Gj intuitively denotes the intensional membership relation. 
Note that neither the Leibniz axiom (L^) nor the extensionality axiom are present. We 
will show, however, that they can be derived and that this axiomatization is as good as 
IZF^^. From now on in this section, we work in IZF^j. The following sequence of lemmas 
establishes that equality and membership behave in the correct way. Statements similar 
in spirit are also proved in the context of Boolean- valued models. Our treatment slightly 
simplifies the standard presentation by avoiding the need for mutual induction. 

Lemma 4.1. For all a, a = a. 

Proof. By G-induction on a. Take any b G/ a. By the inductive hypothesis, 6 = 6, so also 
6 G a. □ 



Corollary 4.2. // a G/ b, then a £ b. 
Lemma 4.3. For all a, b, if a = b, then b = a. 
Proof. Straighforward. 



□ 
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Lemma 4.4. For all b, a,c, if a = b and b = c, then a = c. 

Proof. By G-induction on b. First take any d €/ a. By a = b, d £ b, so there is e €i b such 
that d = e. By 6 = c, e G c, so there is / G/ c such that e = f. By the inductive hypothesis 
for e, d = /, so d G c. 

The other direction is symmetric and proceeds from c to a. Take any d G/ c. By b = c, 
d G 6, so there is e G/ 6 such that d = e. By a = 6, e G a, so there is / G/ a such that e = /. 
The inductive hypothesis gives the claim. □ 

Lemma 4.5. For all a, b,c, if a £ c and a = b, then b £ c. 

Proof. Since a G c, there is d €i c such that a = d. By previous lemmas we also have b = d, 
so 6 G c. □ 

Lemma 4.6. For all a, b,d, if a = b and d £ a, then d £ b. 

Proof. Suppose d £ a, then there is e such that e £i a and d = e. By a = b, e £ b. By 
Lemma 1131 d € b. □ 

Lemma 4.7 (Extensionality) . If for all d, d £ a iff d £ b, then a = b. 

Proof. Take any d G/ a. By Corollarv 14.21 d £ a, so by Lemma 14.61 also d £ b. The other 
direction is symmetric. □ 

We would like to mention that all the lemmas above have been verified by the computer, 
by a toy prover we wrote to experiment with IZF^^. 

Lemma 4.8 (The Leibniz axiom). For any term t{a, f) and formula 4>{a, f) not containing 
£i, ifa = b, then t{a, f) = t{b, f) and (j){a, f) ^ cpib, f) . 

Proof. Straightforward mutual induction on generation of t and 0. We show some repre- 
sentative cases. Case t or (j) of: 

• U*i(^)- If c G/ IJti(a), then for some d, c £ d £ ti{a). By the inductive hypothesis 
t\{a) = ti{b), so by Lemma [4.61 d G so c £i IJ^i(^) Corollarv 14.21 also 
c G IJ^i(^)- 'r^^ other direction is symmetric and by the (EQ) axiom we get t(a) = t{b). 

• S^{ti{a),ii{a)). If c £i S^{ti{a),u{a)), then c G ti{a) and (l){c,u{a)). By the in- 
ductive hypothesis, ti(a) = u{a) = u{b), and thus cj){c,u{b)) and c G ti{b), so 
c £i S^{ti{b),u{b)) and also c G Stp{ti{b),u{b)). 

• t{a) £ s{a). By the inductive hypothesis, t{a) = t{b) and s{a) = s{b). Thus by Lemma 
\tMt{a) £ s{b) and by Lemma\t5\t(b) £ s{b). 

• Vc. (f){c,a,f). Take any c, we have (p{c,a,f), so by inductive hypothesis (l){c,b,f), so 
yc.cj){c,b,f). □ 

Lemma 4.9. For any term tA{d), c £ tyi(a) iff (j)A{c,d). 

Proof. The right-to-left direction follows immediately by Corollarv l4.2[ For the left-to-right 
direction, suppose c G iyi(a). Then there is d such that d £j t^(a) and c = d. Therefore 
4>Aid, a) holds and by the Leibniz axiom we also get ^a(c, a). □ 
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Lemma 4.10. For any axiom A of IZF^, IZFfi^l- A. 

Proof. Lemmas 14.71 ^^id show the claim for all the axioms apart from (IND,^). So 
suppose Va. (V6 € a. 4>{b, f)) — > (j){a,f). We need to show Va. (f){a,f). We proceed by 
€7-induction on a. It suffices to show Vc. (Vd G/ c. (p{d, f)) — > <j)(c,f). Take any c and 
suppose \/d £j c. 4){d, f). We need to show (/)(c, /). Take a to be c in the assumption, so it 
suffices to show that V6 G c. (j){h, /). Take any h ^ c. Then there is e G/ c such that e = b. 
By the inductive hypothesis <j){e, f) holds and hence by the Leibniz axiom we get 4>{b,f), 
which shows the claim. □ 

Corollary 4.11. If IZF^\- (j), then IZFr^V- (/>. 

Lemma 4.12. If IZF^\- (p and (j) does not contain G/, then IZF^^h (j). 

Proof. Working in IZF^^ simply interpret G/ as G to see that all axioms of IZF^^ are valid 
and that if IZFa^h 0, then IZF^^h (/)[g/:=g]. □ 

Therefore IZFr^^ is a legitimate axiomatization of IZF with Replacement and inacces- 
sible sets. From now on the names of the axioms refer to the axiomatization of IZF^^. 



5. The \Z^ calculus 

We now introduce a lambda calculus \Z^ for IZF^^, based on the Curry-Howard iso- 
morphism principle. The part of AZ^ corresponding to the first-order logic is essentially 
APi from [SU06j . The rest of the calculus, apart from clauses corresponding to (IN), (EQ) 
and (INACj) axioms, is identical to \Z from |Moc06a] . 

5.1. The terms of XZ^^. The lambda terms in XZ^^ will be denoted by letters M, N,0, P. 
There are two kinds of lambda abstraction in XZ^, one corresponding to the proofs of impli- 
cation, the other to the proofs of universal quantification. We use separate sets of variables 
for these abstractions and call them propositional and first-order variables, respectively. 
Letters x, y, z will be used for the propositional variables and letters a, b, c for the first- 
order variables. Letters t, s, u are reserved for IZF/j^^ terms. The types in the system are 
IZF/j(^ formulas. The terms are generated by the following abstract grammar: 

M ::= X \ M N \ Xa. M \ Xx : (t>. M \ inl(M) | inr(M) | fst(M) | snd(M) 
[t,M] \ M t \ {M,N) I case(M,2; : (j). N, x : tl^. O) \ magic(M) | let [a,x : (p] := M in 
ind^^^ (M, i) | inacjProp(t, M) | inacjRep(t, Af) 
inProp(t, tt, M) | inRep(i, li, M) | eqProp(t, u, M) | eqRep(t,M,M) 
pairProp(t, ui, n2, M) | pairRep(t, «i, «2, M) | unionProp(i, u, M) | unionRep(t, u, M) 
sep^^^ j<|Prop(t, u, n, M) | sep^^^ j-^Rep{t,u,u, M) \ powerProp(t, u, M) | powerRep(t, u, M) 
infProp(t,M) | infRep(t,M) | repl_^(^^^j^Prop(t, u, n, M) | T:epl^^^^^ j^Rep{t,u,u, M) 

The ind terms correspond to the (IND) axiom, Prop and Rep terms correspond to the 
respective axioms of IZF^and the rest of the terms corresponds to the rules of IFOL. The 
exact nature of the correspondence will become clear in Section 15.31 To avoid listing all 
of them repeatedly, we adopt a convention of using axRep and axProp terms to tacitly 
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mean all Rep and Prop terms, for ax being one of in, eq, pair, union, sep, power, inf, repl 
and inaci, unless we list some of them separately. With this convention in mind, we can 
summarize the definition of the Prop and Rep terms as: 

axProp(i, u, M) | axRep(t, u, M), 

where the number of terms in the sequence u depends on the particular axiom. 

The free variables of a lambda term are defined as usual, taking into account that 
variables in A, case and let terms bind respective terms. The relation of a-equivalence is 
defined taking this information into account. We consider a-equivalent terms equal. We 
denote all free variables of a term M by FV{M) and the free first-order variables of a term 
by FVf{M). The free (first-order) variables of a context F are denoted by FViJ") {FVpiJ')) 
and defined in a natural way. 



5.2. The reduction relation. The deterministic reduction relation — > arises from the 
following reduction rules and evaluation contexts: 

(Ax : (j). M)N M[x := N] (Aa. M)t M[a := t] 
fst((M, N)) M snd((Af, A^)) ^ N 
case(inl(M), X : (p. N,x : ^j. O) ^ N[x := M] case(inr(M), x : (p. N,x : ip. O) ^ 0[x := M] 
let [a, x : (j)]:= [t, M] in iV ^ N[a := t] [x := M] 
axProp(i, u, axRep(i, u, M)) — > M 
ind^(M,t) ^ Xc. M c {Xb.Xx : b c. md^{M,t) b) 
In the reduction rules for ind terms, the variable x is new. 
The evaluation contexts describe call-by-need (lazy) evaluation order: 

[o] ::=fst([o]) I snd([o]) | case([o], x.A^, x.O) 
axProp(t,ii, [o]) I let [a, x : cp] := [o] in | [o] M | magic([o]) 

We distinguish certain XZ^^ terms as values. The values are generated by the follow- 
ing abstract grammar, where M is an arbitrary term. Obviously, there are no possible 
reductions from values. 

V ::= Xa. M \ Xx : (p. M \ inr(M) | inl(A-/) | [t,M] \ {M,N) \ axRep(t, u, M) 

Definition 5.1. We write M ], if the reduction sequence starting from M terminates. In 
this situation we also say that M normalizes. We write M I v if we want to state that v is 
the term at which this reduction sequence terminates. We write M M' if M reduces to 
M' in some number of steps. 
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5.3. The types of XZ^j. The type system for XZ^j is constructed according to the principle 
of the Curry-Howard isomorphism for IZF^^. Types are IZFjj^ formulas, and terms are 
XZi^ terms. Contexts F are finite sets of pairs {xi,(f)i). The first set of rules corresponds to 
first-order logic. 

r,x : X : (j) Th M N -.ip T h Xx : cp. M : cp ^ ip 

r\-M:<p ThN:ip rhM:<pAip F h M : A V 
F h (M, iV) : <?i A V F h fst(M) : cp F h snd(M) : ip 
F h M : _^^j-M_^i^_ 
F h inl(M) -.(pVip F h inr(M) :(pVtp 
ThM-.cpVip r,x : (ph N : F,a;:-0hO:^ 
F h case(M, x : (p. N, x : tp. O) : t3 

T^M:(P u FhM:Va. T ^ M : ^[a := t] 

a f FVpiT) 



T\- Xa. M -.ya. (p ^ ^ ^ T \- M t : (p[a := t] T\-[t,M]: 3a 
r\-M:± rhM:3a.cp r,x : (ph N : ^ 



F h magic(M) : (p F h let [a, x : cp] := M in N : ip 
The rest of the rules correspond to IZF^^^ axioms: 



aiFVpiV,^) 



F h M : Vd {d ei t ^ d e u) A {d ei u ^ d e t) 
F h eqRep(t, u, M) : t = u 

M ■.t = u 

F h eqProp(i, ii, M) :\fd. {d t ^ d € u) A {d ej u ^ d e t) 
T \- M -.30. c £i u At = c T\-t eu 



F h inRep(i, u,M) :tGu F h inProp(t, u, M) : 3c. c ei u A t 
F h M : (pA{t, u) Fh M :tei tA{u) 



F h axRep(t, u, M) : t G/ tA{u) F h axProp(t, u, M) : (pA{t, u) 
F h M : Vc. (V6. b £i c ^ (p{b,t)) (p{c,^ 
Fhind^(^ g)(M,t) :Va. </-(a,t) 



5.4. The properties of XZ^^. We now proceed with a standard sequence of lemmas for 
XZ^. 

Lemma 5.2 (Canonical Forms). Suppose M is a value and h M : -i?. Then: 

• = t t^(n) iff M = axRep(t, u, TV) and\- N : (pA{t, u). 

m § = (P\j ^ iff (M = \n\{N) and \- N : (p) or (M = inr(iV) an(i K : V'j- 

• 1} = (P A iff M = {N,0) , h N : (p and h O : ^p. 

• ^ = (P ^ iP iff M = Xx : (p. N and X : (p \- N : ip. 

• = Va. (/) iif M = Aa. anti h iV : (/>. 

• = 3a. iif M = [t,iV] andh N : (p[a := t]. 

• -i? = _L never happens. 



Proof. Immediate from the typing rules and the definition of values. 



□ 
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Lemma 5.3 (Weakening). If T \- M : (p and FV^tp) U {x} are fresh to the proof tree 
T\- M -.(p, then r,x : \- M : (p. 

Proof. Straightforward induction on T \- M : (p. □ 

There are two substitution lemmas, one for the propositional part, the other for the 
first-order part of the calculus. S ince the rules and terms of XZ^ corresponding to IZF/^^ 
axioms do not interact with substitutions in a significant way, the proofs are routine. 

Lemma 5.4. If T ,x : (p M : ^ and T \- N : (p, then T h M[x := N] : -0. 

Proof. By induction on T,x : (p h M : ip. We show two interesting cases. 

• ip = ipi ^ ij)2, M = \y : ipi. O. Using a-conversion we can choose y to be new, so that 
y ^ FV{r, x) U FV{N). The proof tree must end with: 

r, a; : (/), y : -01 h O : 
T,x : (p\- \y : ipi. O : ipi ^ ip2 

By the inductive hypothesis, T, y : h 0[x := A^] : so T h Ay : 0i. 0[x := N] : ipi ^ 
ip2- By the choice of y, T h (Ay : tpi. 0)[x := A^] : V'l — ^ '02- 

• ip = 'ip2, M = let [a, y : ipi] := Mi in M2. The proof tree ends with: 

r, a; : h Mi : 3a. -01 T,x : (p^y : ipi h M2 : "02 
r, X : h let [a, y : ipi] := Mi in M2 : -02 

Choose a and y to be fresh. By the inductive hypothesis, F h Mi[x := N] : 3a. ipi and 
r,y : Vi ^ M2[x := N] : tp2. Thus T h let [a,y : V'l] := Mi[x := N] in M2[x := N] : ^2- 
By a and y fresh, T h (let [a, y : ipi] := Mi in M2)[x := N] : ip2 which is what we want. □ 

Lemma 5.5. IfTh M :(p, then r[a := t] h M[a := t] : (p[a := t]. 

Proof. By induction on F h M : 0. Most of the rules do not interact with first-order 
substitution, so we will show the proof just for two of them which do. 

• = V6. 01, M = A6. Ml. The proof tree ends with: 

Without loss of generality we can assume that b ^ FV{t)L){a}. By the inductive hypothe- 
sis, T[a := t] h Mi[a := t] : 0i[a := t]. Therefore T[a := t] h Aft. Mi[a := t] : V6. 0i[a := t] 
and by the choice of 6, F[a := t] h {Xb. Mi)[a := t] h (V6. 0i)[a := t]. 

• = 0i[ft := u], M = Ml u for some term u. The proof tree ends with: 

F h Ml : V6. 01 

F h Ml ti : 0i[6 := u] 

Choosing b to be fresh, by the inductive hypothesis we get F[a := t] h Mi [a := t] : 
V6. (01 [a := t]), so T[a := t] h Mi [a := t] u[a := t] : 0i[a := t][b := u[a := t]]. By Lemma 
Oand 6 ^ FV{t), we get F[o := t] h (Mi u)[a := t] : 0i[6 := u][a := t]. □ 
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With the lemmas at hand, Progress and Preservation follow easily: 

Lemma 5.6 (Subject Reduction, Preservation). IfV\-M:(f) and M ^ N , then T \- N : (j). 

Proof. By induction on the definition of M — > A^. We show several cases. Case M — >■ of: 
• (Ax : (t)i. Ml) M2 ^ Mi[x := M2]. The proof tree T h M : (/> must end with: 

r, X : 01 h Ml : (/) 
r h Ax : 01. Ml r h M2 : 01 



r h (Ax : 01. Ml) M2 : 
By Lemma EH P h Mi[x := M2] : 0i. 

let [a,x : 0i] := [t,Mi] in M2 M2[a := t][x := Mi]. The proof tree P h M : must end 
with: 

r h Ml : 0i[a := t] 

P h [t,Mi] : 3a. 0i P, x : 0i h M2 : 



P h let [a, X : 0i] := [t, Mi] in M2 : 
Choose a to be fresh. Thus Mi [a := t] = Mi and T[a := t] = P. By the side-condition 
of the last typing rule, a ^ FV{cj)), so 0[a := t] = 0. By Lemma [531 we get T[a := t],x : 
01 [a := t] h M2[a := t] : 0[a := t], so also P,x : 0i[a := t] h M2[a := t] : 0. By Lemma 
01 we get P h M2[a := t][x := Mi] : 0. 

axProp(i, u, axRep(t, u, Mi)) — Mi. The proof tree must end with: 

PhMi : 0A(t,n) 
P h axRep(t, M, Ml)) : t G/ t^Cw) 



P h axProp(i, iT, axRep(t, Mi)) : 0a (i, t?) 

The claim follows immediately. 
• ind^^^ y^(Mi, t) — > Ac. Mi c (A6.Ax : 6 G/ c. ind^^^ gj(Mi, t) 6). The proof tree must end 
with: 

P h Ml : Vc. (V6. 6 G/ c ^ 0'(^i)) ^ V'lc,*) 

We choose 6, c, x to be fresh. By applying a-conversion we can also obtain a proof tree 
of P h Ml : Ve. (Vd. d G/ e ^ ■0(c?,i)) ^ V'(e,t), where {d, e} n {b,c} = 0. Then by 
Weakening we get P,x : 6 G/ c h Mi : Ve. (Vd. d e ■ip{d,i)) il){e,i), so also 
P, X : 6 G/ c h ind^^^ g^(Mi, t) : Va. 'ip{a,i). Let the proof tree T be defined as: 

P,x : 6 G/ c h ind^(^g^(Mi,t) : Va. 0(a,t) 

P, X : 6 Gj c h ind^(^ g)(Mi, b : V(6, t) 



P h Ax : 6 Gj c. ind^(^ g)(Mi,t) b : b c ^ -0(6, t) 
P h A6.Ax -.beic. ind^(^g)(Mi,t) b -."ib. b Gi 4>ib,t) 
Then the following proof tree shows the claim: 

P h Ml : Vc. (V6. beic^ ip{b, t)) ^ ^(c, t) 
PhMi c: (V5. ftG/c^VCfe,*)) ^^(c,t) T 
P h Ml c (A5.Ax : 6 G/ c. ind^(^^g)(Mi, 6) : V(c,t) 

P h Ac. Ml c (A6.Ax : 6 G/ c. ind^^^ ^^(Mi, t) 6) : Vc. ^(c,*) 
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□ 

Lemma 5.7 (Progress). // h M : cj), then either M is a value or there is N such that 
M ^ N. 

Proof. Straightforward induction on the length of M. The proof proceeds by case analysis 
of M. We show several cases: 

• It is easy to see that the case M = x cannot happen. 

• If M = Ax : A^, then M is a value. 

• If M = O, then for some ip, the proof must end with: 

^ N -.j) ^4) hO:V; 
h iV O : 

By the inductive hypothesis, either is a value or there is A'^' such that A^ — s- A^'. In the 
former case, by Canonical Forms for some P we have N = Xx : ip. P, so N O ^ P[x := O]. 
In the latter case, A^ O ^ A^' O. 

• If M = axRep(i, u, M), then M is a value. 

• If M = axProp(i, u, O), then we have the following proof tree: 

hO:t£i tA{u) 
h axProp(t, u, O) : (j)Ait, u) 

By the inductive hypothesis, either O is a value or there is Oi such that O ^ Oi. In the 
former case, by Canonical Forms, O = axRep(t, u, P) and M P. In the latter, by the 
evaluation rules axProp(t, u, O) axProp(t, u,Oi). 

• The cases corresponding to the equality and membership axioms work in the same way. 

• The ind terms always reduce. □ 

Corollary 5.8. // \- M : (p and M I v, then \- v : (j) and v is a value. 
Corollary 5.9. If^M: _L, then M does not normalize. 

Proof. If M normalized, then by Corollarv 15.81 we would have a value of type _L, which by 
Canonical Forms is impossible. □ 

Finally, we state the formal correspondence between XZ^^ and IZF/j(^: 

Lemma 5.10 (Curry-Howard isomorphism). IfV \- O : (p then IZF[^i^+rg(T) h (j), where 
rg{T) = {(j) I {x, (p) G F}. If IZFi^^+T h (p, then there exists a term M such that T \- M : (p, 
where F = {{x^, (p) \ G F}. 

Proof. Both parts follow by easy induction on the proof. The first part is straightforward, 
to get the claim simply erase the lambda terms from the proof tree. For the second part, 
we show terms and trees corresponding to IZF/j^^ axioms: 

• Let (p be one of the IZF^j axioms apart from G-Induction. Then (p = Ma. Vc. c €/ 

fyl(a) ^ cpAic^a) for the axiom (A) (incorporating axioms (IN) and (EQ) in this case in 
the obvious way). Recall that (pi ^ (p2 is an abbreviation for {(pi (p2) f\ (02 (pi)- Let 
T be the following proof tree: 

F,a; : (pA{c.,a) h x : (pAic,a) 
F, X : (pAic, a) h axRep(c, a,x) : c €/ tA(«) 



F h Ax : (pA^c, a). axRep(c, a, x) : 0a (c, a) ^ c €i tA{a) 
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Let Ml = Ax : c €/ tA{a). axProp(c, a, x) and let M2 = Ax : (pA{c,a). axRep(c, a, x). 
Then the following proof tree shows the claim: 

r, X : c G/ tAia) h x : c G/ tA{S) 
r, X : c G/ tA{S) h axProp(c, a, x) : 4'a{c, a) 

r h Ml : c G/ tA{a) (I)a{c, a) T 
r h (Ml, M2) : c Gj tA{a) ^ 0a (c, a) 
r h AaAc. (Ml, M2) : Va. Vc. c G/ U(a) ^ (Aa(c, a) 
• Let be the G-induction axiom. Let 

M = A/Ax : (Va.(V6. 6 G/ a ^ ^{b, /)) ^ ^(a, /)). ind(x, /). 
The following proof tree shows the claim: 
r,x : Va.(V6. 6 G/ a ^ ^Pib, f)) ^p{a, f) h x : Va.(V6. b £1 a ^ i^{b, f)) ^ 
r,x : Va.(V6. b€i H^, f)) ^ ^(a,/) ^ ind^(^j-j(x, /) : Va. i/^iaj) 
r h M : v/.(Va.(V6. 6 G/ a ^ /)) ^ ^(a, /)) ^ Va. V(a, /) 

□ 

Note that all proofs in this section are constructive and quite weak from the proof- 
theoretic point of view — Heyting Arithmetic should be sufficient to formalize the argu- 
ments. However, by the Curry-Howard isomorphism and Corollary 15.91 normalization of 
AZ(^ entails consistency of IZF^i^, which easily interprets Heyting Arithmetic. Therefore a 
normalization proof must utilize much stronger means, which we introduce in the following 
section. 

6. Realizability for IZFr^ 

In this section we work in ZF with w-many strongly inaccessible cardinals. We denote 
the i-th strongly inaccessible by Lj and choose them so that Fj G Fj_|_i. It is likely that 
IZF with Collection and w-many inaccessible sets would be sufficient, as excluded middle 
is not used explicitly; however, arguments using ordinals and ranks would need to be done 
very carefully, as the notion of an ordinal in constructive set theories is problematic |Pow75t 
Tay96| . 

6.1. Realizers. Our realizers are essentially terms of XZ^. For convenience, wherever 
possible, we erase logic terms and formulas from parameters of axRep, axProp, ind and case 
terms. We call the resulting calculus AZ^. More formally, AZ^ arises as an image of an 
erasure map M, which takes as its argument a XZi^-teim. This map is defined by structural 
induction on M and induced by the following cases: 

axRep(t, u, M) = axRep(M) axProp(t, u, M) = axProp(M) nid^{M, t) = ind(M) 

Ax : (j). M = Ax. M let [a,x : c^] := M in iV = let [a, x] := M in iV 
case(M,x : <f). N, x : tp. O) = case(M, x.iV, x.O) 
The erasure on the rest of terms is defined in a natural way, for example (Af, N) = (M, N), 
[t, M] = [t, M] and M t = M t. The reduction rules and values in XZ^^ are induced from 
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XZu) in an obvious way. The set of XZ^^ terms will be denoted by and the set of XZ^^ 
values will be denoted by XZ^^. 

Lemma 6.1. If M normalizes, so does M. 

Proof. Straightforward — the erased information does not affect the reductions. □ 

The fact that logic terms do not play any role in the reductions is crucial for the 
normalization argument to work. 

This definition of the erasure map and AZ^ fixes a small mistake in the presentation in 
|Moc06a] ■ where a bit too much information was erased. 

6.2. Realizability relation. Having defined realizers, we proceed to define the realizability 
relation. Our definition was inspired by McCarty's |McC84j . From now on, the letter T 
denotes the set of all IZFa^ terms. 

Definition 6.2. A set ^ is a A-name iff ^ is a set of pairs {v, B) such that v G AZ^^ and 
i? is a A-name. 

In other words, A-names are sets hereditarily labelled by XZ^ values. 
Definition 6.3. The class of A-names is denoted by V^. 

Formally, is generated by the following transfinite inductive definition on ordinals: 

= ij p(A^, X v^) v^= u 

/3<a aeORD 

Definition 6.4. The X-rank of a A-name A, denoted by Xrk{A), is the smallest a such that 
A e 

We now define three auxiliary relations between AZ^ terms and pairs of sets in V^, 
which we write as M Ih A €/ B, M Ih A G B, M Ih A = B. These relations are a prelude 
to the definition of realizability. 

MlhAe/B = MivA{v,A)£B 

Ml^AeB = M imRep{N) AN i[u,0] A3C £V^. O i {Oi,02)/\ 
Oi Ih C G/ 5 AO2 IH A = c 

M\^A = B = Mi eqRep(Mo) A Mq j Xa. Mi A Vt G T, VL> G F^. Mi [a := t] [ {O, P) A 
O i Xx. OiA^N. {N Ih D(£i A)^ Oi[x := N]\h D e BA 
P [ Xx. PiAVN. {N Ih Dei B)^ Pi[x ■.= N]\h D eA 

The relations M \\- A B and M Ih ^ = i? are defined together in a standard way by 
transfinite recursion. See for example |Rat05j for more details. 

Definition 6.5. For any set C G V^, C+ denotes {{M, A) | M Ih yl G C}. 

Definition 6.6. A (class-sized) first-order language L arises from enriching the IZF/j^^ 
signature with constants for all A-names. 

From now on until the end of this section, symbols M, N, O, P range exclusively over 
AZ^j-terms, letters a, b, c vary over first-order variables in the language, letters A, B, C vary 
over A-names and letter p varies over finite partial functions from first-order variables in L 
to V^. We call such functions environments. 
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Definition 6.7. For any formula (p of L, any term t of L and p defined on all free variables of 
(j) and t, we define by metalevel induction a realizability relation Af Ihp </> in an environment 
p and a meaning of a term [t]p in an environment p: 

(1) = p(a) 

(2) Mp = ^ 

(3) = w', where is defined by the means of inductive definition: lo' is the smallest 
set such that: 

• (infRep(7V), A) G if iV j inl(O), O Ihp A = and A G X.^. 

• If {M,B) G then (infRep(7V), A) G if TV i inr(iVi), Ni [ [t,0], O [ {M,P), 
P\^pA = S{B) and A G V^. 

Note that if (M, B) G w'"'', then there is a finite ordinal a such that B G V^. 

(4) [V'ilp = C/j. We win define Ui below. 

(5) Pa(u)]p = {(axRep(A^),S) G XZ^^ x V^^ \ N Ihp (^a(5,H7)}- The ordinal 7 will be 
defined below. 

(6) M\\-p± = ± 

(7) M Ihp t G/ s = M Ih {tjp G/ Wp 

(8) M Ihp t G s = M Ih Mp G Hp 

(9) M\^pt = s = M Ih Mp = |s]p 

(10) M Ihp A V = M i (Ml, M2) A (Ml Ihp 0) A (M2 Ihp V) 

(11) M Ihp V ^ = (M i inl(Mi) A Mi Ihp (/>) V (M j inr(Mi) A Mi Ihp V) 

(12) M Ihp ^ V = (M i Ax. Ml) A ViV. {N Ihp (P) (Mi[x := N] Ihp V) 

(13) M Ihp 3a. ^ = M i [t, iV] A 3^ G V^. N Ihp 4>[a := A] 

(14) M Ihp Va. 4> = M i Xa. N AVAg V^,yt G T. iV[a := t] Ihp 0[a := A] 

To define t/j, first recall that the axiom (INACj) has the following form: 

(INACi) Vc. ceVi^ (j)\{c, Vi) A Vd. (pUd) ^ c e d. 

We define a monotonic operator F on sets as: 

F{A) =AU {(inaciRep(A^), C) G XX^^ x Vr^, | N Ihp (/)1(C, yl) A Vd. 0*2(d) ^ C G d}. 

We set Ui to be the smallest fixpoint of F. Formally, Ui is generated by transfinite inductive 
definition on ordinals: 

Ui,y = F{\J Ui^p) U= U 

/3<7 7eORD 

Since F adds only elements from AZ^„ x V^, , any element of Ui is in AZ^^xFp^sof/i G 

The definition of the ordinal 7 in item [S] depends on t^(n). This ordinal is close to the 

rank of the set denoted by t^iu) and is chosen so that Lemma 16.311 can be proved. Let 

> 

OL = Xrkdujp). Case tAiu) of: 

• {ui,U2} — 7 = maa;(ai, 02) 

• P{u) — 7 = a + 1. 

• U u — 7 = a. 

• -^.^CajlK^) — 7 = ai- 

• R^^^^ ^(u,u). This case is more complicated. The names are chosen to match the 
corresponding clause in the proof of Lemma [6.31[ Let G = {{Ni, {N21, B)) G A-^ x 
M+ I 3d G V\ ij{Ni,N2i,B,d)}, where i^iNi, N21, B,d) = (iVi j Xa. Nn) A (iVn j 
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Ax. O) A (0[x := N21] Ihp (P{B, d, jufp) A Ve. cj){B, e, jufp) ^ e = d). Then for all g S G 
there is D and {Ni,In2i,B)) such that g = {Ni,{N2i,B)) and ij{Ni,N2i,B,D). Use 
Collection to collect these D's in one set H, so that for all g £ G there is D £ H such 
that the property holds. Apply Replacement to H to get the set of A-ranks of sets in H. 
Then /? = |J is an ordinal and for any D £ H, Xrk{D) < (3. Therefore for all g £ G 
there is L> G Vg^ and {Ni,{N2i,B)) such that g = {Ni,{N2i,B)) and ij{Ni, N21, B, D) 
holds. Set 7 = /? + 1. 

At this point it is not clear yet that the realizability definition makes sense — a priori 
it might be circular. We will now show that it is not the case. 

Definition 6.8. For any closed term s, we define number of occurences of s in any term 
t and formula (j), denoted by Occ{s,t) and Occ{s,(p), respectively, by induction on the 
definition of terms and formulas. We show representative clauses of the definition: 

• Occ{s, s) = 1. 

• Occ{s, a) = 0, where a is a variable. 

• Occ{s, tA{u)) = Occ{s, ui) + . . . + Occ{s, Un). 

• Occ{s, S(j,{t, u)) = Occ{s, (j)) + Occ{s, t) + Occ{s, ui) + . . . + Occ{s, Un). 

• Occ{s,t € u) = Occ{s,t) + Occ{s,u). 

• Occ{s, (p Alp) = Occ{s, (j)) + Occ{s, ■0)- 

In a similar manner we define the number of function symbols FS in a term and formula. 

Definition 6.9. Let M(N) denote the set of all multisets over N with the standard well- 
founded ordering. Formally, a member A of M(N) is a function from N to N, returning for 
any n the number of copies of n in A. We define a function V taking terms and formulas 
into M(N): V{x) for any number i returns Occ{Vi,x), for x being either a term or a formula. 

Lemma 6.10. The definition of realizability is well-founded. 

Proof. Use the measure function m which takes a clause in the definition and returns an 
element of M(N) x with the lexicographical order: 

m{M Ihp 4>) = {V{(j)),Occ{uj, (j)),FS{(j)), "structural complexity of (^") 

mmp) = {V{t),Occ{u,t),FS{t),0) 

Then the measure of the definiendum is always greater than the measure of the definiens — 
in the clauses for formulas the structural complexity goes down, while the rest of parameters 
do not grow larger. In the definition of |Vi]p, one Vi disappears replaced by two Uj-i's. In 
the definition of {iojp, one to disappears. Finally, in the definition of |tA(ii)lp) the topmost 
tA disappears, while no new V^'s and w's appear. □ 

Since the definition is well-founded, (metalevel) inductive proofs on the definition of 
realizability are justified, such as the proof of the following lemma: 

Lemma 6.11. lt[a := s]jp = [t[a := {sjpjjp = Mp[a:=w,] and M Ih^ ^{a := s] iff M Ihp 
(t>[a ■■= Wp] ijJM lhp[„:=[^]^] (f>. 

Proof. By induction on the definition of realizability. We show representative cases. Case t 
of: 

. A - then lt[a := s]jp = [t[o := [slp]]p = Mp[a;=w,] = A. 

• a — then p[a := s]jp = {sjp, |t[a := |s]p]lp = [[slplp = {sjp and also [ilpj^^^i^j^j = [sip. 
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• tA{u)- Then |t[a := s]}p = {(axRep(iV), ^) | N Ihp (pA{A,u[a := s])}. By the inductive 
hypothesis, this is equal to {(axRep(iV), ^) | N Ih^j^.^i^j^] (j)A{A,u)} = ltjp[a:=ls}p] and 
also to {(axRep(iV), A) | N Ihp (pA{A,u[a := [sip])} and thus to [t[a := [s]p]]]p. 
For formulas, the atomic cases follow by the proof above and the non-atomic cases follow 
immediately by the application of the inductive hypothesis. □ 

Lemma 6.12. // {M Ihp 0) then M j. 

Proof. Straightforward from the definition of realizability — in every case the definition 
starts with the clause assuring normalization of □ 

Lemma 6.13. If M M' then M' Ihp (j) iff M Ihp cj). 

Proof. Whether M \\-p (p or not depends only on the value of M, which does not change 
with reduction or expansion. □ 

Lemma 6.14. // p agrees with p' on FV{cl)), then M Ihp cj) iff M Ihp' (p. In particular, if 
a i FVicj)), then M Ihp <P iff M h p^,,^j^-^ 

Proof. Straightforward induction on the definition of realizability — the environment is 
used only to provide the meaning of the free variables of terms in a formula. □ 

Lemma 6.15. // M Ihp ^ and N Ihp 4), then M N W^. 

Proof. Suppose M Ihp (/> ^ ^. Then M [ (Ax. O) and for all P Ih 0[x := P] Ih ip. Now, 
M N ^* (Ax. O) N ^ 0[x := N]. Lemma [6l3] gives us the claim. □ 



6.3. Properties of realizability. We now establish several properties of the realizability 
relation, which mostly state that the truth in the realizability universe is not far from the 
truth in the real world, as far as ranks of sets are concerned. 

Several lemmas mirror similar facts from McCarty's thesis jMcC84j . We cannot, how- 
ever, simply point to these lemmas and say that essentially they prove the same thing, as 
our realizability behaves a bit differently from his. 

Lemma 6.16. If A ^ V^, then there is fi < a such that for all B, if M Ihp B £ A, then 
B € V^. IfM Ihp B = A, then B G V^. IfMl^pB^i A, then Xrk{B) < \rk{A). 

Proof. By induction on a. Take any A G V^- By the definition of V^, there is /3 < a such 
that A C XZ^^ X V^. Suppose M Ihp 5 e A. Then M j inRep(A^), N l[u,0],0 i (d, O2) 
and there is C such that Oi \\- C ei A and O2 II" ^ = C. Therefore, Oi I v and {v, C) G A. 
Thus C € V^, so by the inductive hypothesis also B G and we get the claim of the first 
part of the lemma. 

For the second part, suppose M Ihp i? = A. This means that M [ eqRep(Mo), Mq | 
Xa. Ml and for all t e T,D, Mi[a := t] j {0,P). Moreover, O j Ax. Oi and for all 
N Ihp D £1 B we have Oi[x := A^] Ihp D e A. In particular, if {v,D) G B, then Oi[x := 
v] Ihp D £ A. By the first part of the lemma, any such D is in for some (3 < a, so 
B G V^. 

The third part is trivial. □ 

Lemma 6.17. M A = B iff M i eqRep(A^) and iV Ihp Vd {d ei A ^ d e B) A {d 
B ^deA). Also, M hp Ae B iff M i inRep(iV) and N Ihp 3c. c&j B AA = c. 

Proof. Simply expand what it means for M to realize respective formulas. □ 
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We now exhibit realizers corresponding to proofs of Lemmas 14.1114.51 Their existence 
and corresponding properties will fohow immediately from Theorem 17.41 once it is proved; 
however, we need them for the proof of Lemma I6.27[ Since Lemma 16.271 only needs to be 
used for a set theory with inaccessibles, an alternative to tedious proofs below could be to 
prove normalization for the theory without inaccessibles first, and take realizers from that 
normalization theorem. 

Lemma 6.18. There is a term eqRefl such that eqRefl Ihp Va. a = a. 

Proof. Take the term eqRefl = ind(Af), where M = Ac. Xx. eqRep(A(i. (iV, iV)) and N = 
Xy. inRep([d, {y, x dy)]). Then eqRefl Xa. M a (Ae. Xz. ind(M) e). It suffices to show that 
for any A,t, M t (Ae. Xz. ind(M) e) Ihp A = A. We proceed by induction on A-rank of A. We 
have M t (Ae. Xz. ind(M) e) j eqRep(A(i. {N, N)[x := Ae. Xz. ind(M) e]). It suffices to show 
that for alls£T,D £ V^, for all O Ihp L> €/ A, inRep([s, [O, (Ae. Xz. ind(M) e) s O)]) Ih^ 
D € A. Take any s, D and OlhpD ei A. By Lemma [6ll6l Xrk{D) < Xrk{A). We need to 
show the existence of C such that O Ihp C &i A and (Ae. Xz. ind(M) e) s O \\-p D = C . 
Taking C = D, the first part follows trivially. Since (Ae. Xz. ind(M) e) s O ^* ind(M) s 
M s (Ae. Xz. ind(M) s), we get the claim by Lemma 16.131 and the inductive hypothesis. □ 

Lemma 6.19. There is a term eqSymm such that eqSymm Ihp Va, b. a = b ^ b = a. 

Proof. Take 

eqSymm = Xa,b. Xx. N, where N = eqRep(A(i. (snd(eqProp(x) d), fst(eqProp(2;) d))). 

To show that eqSymm Ihp Va, 6. a = 6 ^ 6 = a, it suffices to show that for any A, B, t, u, M, 
if M I'rp A = B then N[x := M] Ihp B = A. Take any A, B, t, u, M. The claim follows if for 
all s T,C we can show: 

• There is Mi such that snd(eqProp(M) s) j Ax. Mi and for all Ni Ihp C G/ B, Mi[x := 
Ni] Ihp C€A. 

• There is M2 such that fst(eqProp(M) s) [ Xx. M2 and for all N2 IHp C €7 A, M2[x := 
N2] IHp C eB. 

Since M A = B, then there is O such that M [ eqRep(O), so fst(eqProp(M) s) 
fst(0 s). Moreover, for some Oi,02 we have O s [ (Oi,02), where Oi Ihp C A ^ 
C e B and O2 \^p C ei B ^ C e A. Therefore, fst(eqProp(M) s) ^* Oi and similarly 
snd(eqProp(M) s) O2. We also know that there are some Pi, P2 such that Oi | Ax. Pi, 
O2 i Xx. P2, Pi[x := N2] \\-p C £ B and P2[x := iVi] Ihp C e A. Taking Mi = P2 and 
M2 = Pi, we get the claim by Lemma 16.131 □ 

Lemma 6.20. There is a term eqTrans such that eqTrans Ihp V6, a,c. a = bAb = c ^ a = c. 

Proof. The proof and the realizers mirror closely the proof of Lemma |4.4[ Set: 



eqTrans 


= ind(A/o) 


Mo 


= A6, xi, ai, c, X2. eqRep(A/. {N,0)) 


N 


= AX3. let [a2,X4] := inProp(fst(eqProp(fst(x2)) /) X3) in A''i 


Ni 


= let [03, X5] := inProp(fst(eqProp(snd(x2)) 02) fst(x4)) in A'^2 


N2 


= inRep([a3, (fst(x5),xi 02 fst(x4) / as (snd(x4), snd(x5)))]) 





= AX3. let [a2,X4] := inProp(snd(eqProp(snd(x2)) /) X3) in O 


Oi 


= let [03, X5] := inProp(snd(eqProp(fst(x2)) 02) fst(x4)) in O2 


O2 


= inRep([a3, (fst(x5),xi 02 fst(x4) / as (snd(x4), snd(x5)))]). 
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We will show that for all B, eqTrans J, Xb. R for some term R such that for any term t, 
R[b := t] Ihp Va, c. a = BAB = c^a = c, which trivially implies the claim. We proceed 
by induction on A-rank of B. 

We have eqTrans — > Ae. Mq e Mi, where Mi = Xg. Ax. eqTrans g. Thus it suffices 
to show that for all ti, Mq h Mi \fa,c. a = B A B = c ^ a = c. Since Mq h Mi [ 
Xai,c,X2- eqRep(A/. {N,0)[xi := Mi]), it suffices to show that for all A,C,M2 such that 
M2 A = B A B = C we have eqRep(A/. {N,0)[xi,X2 := Mi,M2]) A = C. By 
Lemma 16.171 it suffices to show that for all F, u we have N[xi,X2, f ■= Mi, M2, u] \\-p F G/ 
A^ F £C and 0[xi,X2, f := Mi, M2, u] \^p F C ^ F e A. 

For the proof of the first claim, we have N[xi,X2, f '■= Mi, M2, u] | Xx^, Take any 

M3 Ihp F G/ j4. We need to show that: 

let [a2,X4] := inProp(fst(eqProp(fst(M2)) it) M3) 

in iVi[xi,X2,X3,/:=Mi,M2,M3,n] \hpF eC. 

We have fst(M2) Ihp A = B, so eqProp(fst(M2)) Ihp V/. (/ G/ A ^ / G 5) A (/ G/ 
B ^ f e A), so by Lemma [6T5] fst(eqProp(fst(M2) u)) M3 Ihp F e B. Therefore, 
fst(eqProp(fst(M2) u)) M3 j inRep(P) and P j [t2,M4] for some P,^2,i2,M4 such that 
M4 \\-p A2 G/ BAF = A2. Thus our term let [02, xa\ := . . . reduces tcQ A'"i[xi, X2, X4, 02, / : = 

Mi,M2,M4,t2,^x]. 

Since snd(M2) Ihp B = C,we similarly have fst(eqProp(snd(M2)) t2) fst(M4) Ihp A2 G 
C, so fst(eqProp(snd(M2)) 12) fst(M4) j inRep((5) and for some ^3, Q j [t3,M5], M5 Ihp 
A3 ei C A A2 = A3. Therefore 

Nil ■ ■] i mRep([t3, (fst(M5),Mi t2 fst(M4) u ts {snd{M^) , sndiM^)))]) 
and by Lemma 16.131 it suffices to show that 

inRep([t3, (fst(M5),Mi t2 fst{Mi) u (snd(M4), snd(M5)))]) Ihp F G C 

For this purpose, we need to show that fst(M5) Ihp ^3 G/ C, which is trivial, and that 

Ml t2 fst(M4) u h (snd(M4),snd(M5)) Ihp F = A3. 

Since Mi = A^f. Ax. eqTrans g, snd(M4) Ihp F = A2 and snd(M5) Ihp A2 = A3, all we need 
to have is that eqTrans ^2 l^p Va, c. a = A2 A A2 = c a = c. Since fst(M4) Ihp A2 £1 B, 
Xrk{A2) < Xrk{B) and we get the claim by the inductive hypothesis. 

The proof of the second claim proceeds in a very similar fashion. The only thing which 
differs O and Oi from and A'^i is the exchange of fst and snd which corresponds to using 
the information that V/. f (zi C ^ f (z B and V/. f £[ B ^ f £ A and proceeding from 
C to A in the second part of the proof of Lemma 14.41 □ 

Lemma 6.21. There is a term lei such that lei Ihp Va, b,c. a£cAa = b^b£c. 

Proof. Take 

lei = Xa,b,c,x. let [d,y\ := inProp(fst(x)) in 

inRep([(i, (fst (y), eqTrans ab c (eqSymm a b snd(x), snd(y)))]). 
We need to show that for any ii, t2, is G T, A, B, C, for any M \\- p A £ C A A = B , we have 
let [d,y\ := inProp(fst(M)) in 

inRep([(i, (fst (y) , eqTrans ti t2 is (eqSymm ti t2 snd(M), snd(2/)))]) Ihp B £ C. 



Since ^3 does not occur in A''i and N2, we omit it from the substitution. 
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We have M [ (Mi.Ma), Mi Ihp A C, N'h Ihp A = B. Therefore Mi j mRep(N), 
iV i [u, O], O i (Oi, O2) and there is D such that d Ihp L> €/ C, O2 l^p ^1 = 1). Therefore 
mProp(fst(M)) | [tf, O], so it suffices to show that 

inRep([u, (fst(O), eqTrans ti t2 h (eqSymm h t2 snd(M), (snd(O)))]) Ih^ B e C. 

This follows if we can find some E such that Oi \\-p E €/ C and 

eqTrans ti t2 (eqSymm ti t2 snd(M), snd(O)) Ihp B = E. 

Take E to be D. Since we have eqSymm ti t2 snd(M) \\-p B = A and snd(O) Ihp A = E, 
the claim follows by Lemma 16.201 □ 

The following two lemmas will be used for the treatment of to in Lemma 16.311 

Lemma 6.22. IfA,B£ Vj^, then l{A,B}jp G V^^^. 

Proof. Take any (M, C) G l{A,B}jp. By the definition of l{A,B}jp, any such C is in V^, 
sol{A,B}jpGVX,. □ 

Lemma 6.23. If A e and M B = S{A), then B G V^^g. 

Proof M hp B = S{A) means M hp B = U{^, {^,^}}- By Lemma [6T6l it suf- 
fices to show that ||J{yl, {A, ^}}]p G Applying Lemma 16.221 twice, we find that 
{{A, {A, A}}jp G V^^. By the definition of l[j{A, {A, A}}jp, if (M, C) G l[j{A, {A, A}}jp, 

then C G Vxrk{i{j{A,{A,Amp)^ so C G V^^^. Therefore [U{^, {A, G Vj^s which shows 

the claim. □ 

Lemma 6.24. If A, B e and MhpC = {A, B), then C G V^^g- 

Proof. Similar to the proof of Lemma 16.231 utilizing Lemmas 16.221 and 16.161 □ 
Lemma 6.25. Xrk{C) < r/c(C+) +w. 

Proof If {M,A) G C, then M hp A Gi C. We have inRep([a, (M, eqRefl a)]) hp A G 
C, so (inRep ( [a, (M, eqRefl a)]), A) G C+. The extra u) is there to deal with possible 
difficulties with finite Cs, as we do not know a priori the rank of set-theoretic encoding of 
inRep([o, (M, eqRefl a)]. □ 

Lemma 6.26. IfNhp \fx e A. ^ then for all (0,X) e A+ , N [ Xa. Ni and Ni j Ax. N2 

and N2[x := O] hp (j)[x := X]. Also, if N hp 3x e A. (p then there is {0,X) G ^+ such that 
N i [t,Ni], Ni i {0,N2) and N2 hp := X]. 

Proof If Ihp yx e A. (j) then N j Xa. Ni and for all t,X, Ni[a := t] hp X £ A ^ cp. 
In particular, taking t = a, we get Ni | Ax. N2 and for all O such that O Ihp A G A, 
N2[x := O] hp (p[x := X]. This implies that for all X, for all O, if O Ihp A G A, then 
N I Xa. Ni, Ni I Ax. N2 and A2[x := O] hp (f)[x := X], which proves the first part of the 
claim. 

If N hp 3x G A. (p, then N j [t, Ni] and there is X such that Ni J, (O, iV2), OhpX £ A 
and N2 hp (j)[x := X], so there is {0,X) G A+ such that N [ [t,Ni], Ni [ {0,N2) and 
iV2 lhp</>[x := A]. □ 
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With our lemmas in hand, we can now prove: 

Lemma 6.27. Suppose A £ Ui and N \\-p"C is a function from A into Vi". Then C € V^.. 

Proof. First let us write formally the statement "C is a function from A into Vi" . This means 
"for all X G A there is exactly one y G Vi such that {x, y) € C and for all z € C there is x G A 
and y eVi such that z = {x,yY . Thus N [ (A^i,A^2), Ni Ihp Vx € A3\y £ V. {x,y) G C 
and N2 \\-p Vz G C3x G A3y e V. z = {x,y). So A^i Ihp Vx G A3y G V. {x,y) G 
C A Vz. (x, z) G C ^ z = y. By Lemma ESSl for all (O, X) G A+ there is (P, Y) G U+ such 
that (/>(0, X, P, Y) holds, where (^{0, X, P, Y) is defined as: 

(/.(O, X, P, Y) = (iVi i Aa. A^ii) A (A^n j Ax. A^is) A (iVi2[x := O] j [t, A^ia]) A 
(iVi3i(^,Q))A(Qi(gi,g2))A 

(Qi Ihp (X, y) G C) A (Q2 IHp Vz. (X, z) G C ^ z = F) 

Let V(0,X,P,y) be defined as: 

tPiO, X, P, Y) = 3Qi,Q2. (Qi Ihp {X, y) G C) A (Q2 1^ Vz. (X, z) G C ^ z = F) 

Obviously, if 0(0, X, P, Y) then -(/-(O, X, P, Y). So for all (O, X) G ^+ there is (P, G U+ 
such that V'(C', X, P, y) holds. 

Define a function F which takes (O, X) G ^+ and returns {(P, y) G [/+ | X, P, Y)}. 
Suppose (Pi, yi), (P2, y2) G P((0,X)). Then there are Qii,Qi2,Q2i such that Qu Ihp 
(X,yi) G C, Qu Ihp Vz. (X,z) G C ^ z = Yi, Q21 Ihp (X,y2) G C. By Lemma E^Q 
Q12 i ^a. Pi, Pi J, Ax. P2 and P2[x := Q21] Ihp y2 = yi. Since eqSymm a a P2[x := 
Q21] ll~p Yi = Y27 by Lemma 16.161 the A-ranks of yi,y2 are the same and, since any such 
(P, y) is a member of , they are smaller than Fj. Also, for any (0,X) G A'^ , F{0,X) 
is inhabited. 

Furthermore, define a function G from A~^ to Fj, which takes (0,X) G and returns 
[j{Xrk{{P,Y)) I (P,y) G P(0,X) A V(0,X,P,y)}. Then for any (0,X) G G(0,X) 
is an ordinal smaller than Fj and if (P, Y) G i7+ and tp{0, X, P, y), then (P, y) G V^^^^ 
Moreover, as Fj is inaccessible, G G P(F,), where P(Fj) denotes the Fj-th element of the 
standard cumulative hierarchy. Therefore |J ran(G) is also an ordinal smaller than Fj. We 
define an ordinal (3 to be inax{Xrk{A),\Jran{G)). 

Now take any (M,P) G C+, so M Ihp B e G. Then, by the definition of X2 and 
Lemma [626] there is (O, X) G and (Oi, G C/+ such that X2 [ Aa. X21, N21 i Ax. X22, 
X22[x := M] i [t,X23], X23 i (0,X24), X24 i [t,X25], X25 i (Oi,P) and P Ihp P = (X,Z). 
Let Ml = lei a a a (M,P), then Mi Ihp (X, G C. Take any element {P,Y) G P(0,X) 
and accompanying Qi, Q2- Then Q2 [ Aa. Q3, Q3 J, Ax. (^4 and Q4[x := Mi] Ihp Z = y. By 
LemmaEI El Xrk jZ) < Xrk(Y) and thus Xrkj Z) < (3. Since (0,X) G A+ , Xrk{X) < /?, too. 
By Lemma [Ol ArA;(P) < /? + 2. By Lemma [OSl r/c(P) < + so rk{G+) < P + to + l. 
By Lemma 16.251 again. Xrk[G) < (3 + luj. Since /? + 2u; is still smaller than Fj, we get the 
claim. □ 

Lemma 6.28. If M Ihp A G f/j,^, then M Ihp A G Vj. 

Proo/. If M Ihp A G f/j,^, then M j inRep(X), X j [t, O], O j (Oi, O2) and there is G such 
that Oi i I), (-y, C) G J7j,^, O2 Ihp G = A. Then also (u, G) G f/j, so Oi Ihp G G/ Vj, so also 
M Ihp ^ G Vi. ' □ 
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Lemma 6.29. If N Ihp ipi^CjUi^-y), where ipi is one of the five clauses defining (j)\{C,Ui^'y) 
in the Definition \3.3l then N ipi{C,Vi). 

Proof. There are five cases to consider: 

• N C = Vi-i- Tliis case is trivial. 

• N Ihp 3a. a G f/j,^ A c G a. Then there is A such that N i[t,0], O [ (Oi, O2), Oi Ihp A G 
C^,7, O2 Ihp C ^ A. By Lemma [a28| Oi Ihp ^ G Vi, so also Ihp 3a. a eVi a. 

• A^'lhp 3a. a G C/j,^ A c = IJa- Then there is A such that N [ [t, O], O [ (Oi,02), 
Oi Ihp ^ G t/i,^, 62 Ihp C = Thus by Lemma E^SlOi Ihp A e Vi and we get the 
claim in the same way as in the previous case. 

• N Ihp 3a. a G Ui^^ A C = -P(a). Similar to the previous case. 

• N Ihp 3a. a G f/i,^ A C G a ^ Ui^^. Then there is A such that N [ [t,0], O [ (Oi,02), 
Oi Ihp A G C/i,^, O2 Ihp "C is a function from A into f/j,^". By Lemma [6T281 Oi Ihp A G Vi. 
Expanding the second part, we have O2 i (^1,^2), -Pi Ihp Vx G A3i\y G C/j^-y. G C 
and P2 G C3x G ^3y G L^j^-y. z = {x,y). We will tackle Pi and P2 separately. 

- For Pi, we have for all X,t, Pi j Xa. Pu, Pii[a := t] | Xx.Q and for all R\\-p X £ A 
there is Y such that := R] j [ti,(5o], Qo i {Qi,Q2), Qi ^ G ^1,7 and Q2 ll"p 
(X, y) G C A Vz. (X, z) G C ^ 2 = y. By Lemma [OS we also have Qi Ihp F G Vi, so 
also Pi Ihp Vx G a3!y. y G A (x, y) G C 

- For P2, we have for ah Z,t, P2 j Aa. Pn, Pii[a := t] J, Ax.Q and for all P Ihp Z G C 
there are X,Y such that Q[x := R] [ [ti,Qo], Qq | {Qi,Q2) and Qi Ihp X £ A. 
Moreover, Q2 i [t2, Sq], Sq | (Si, ^2) and Si Ihp y G Ui^^. By Lemma [6.281 we also have 
5i Ihp y G Fj, so also P2 Ihp Vz G C ^ 3x G A3y eVi. z = {x, y). 

Therefore also O2 Ihp "C is a function from A into T^" and in the end N Ihp 3a. a G 
Vi^C ea^V^. □ 

Corollary 6.30. //A/ Ihp cp\{C, Ui^j), then M Ihp cb\{C, Vl). 

The following lemma states the crucial property of the realizability relation. 

Lemma 6.31. (M, C) G [U(u)]p iif M = axRep(iV) and N Ihp (/>a(C, Hp). 

Proof. The proof proceeds by case analysis on tyi('u). We first do the proof for all terms 

apart from to and Vi, then we show the claim for u; and finally for V^. 

For all terms, save uj and Vi, the left-to-right direction is immediate. For the right-to- left 

> 

direction, suppose N ihp (/>a(C, Mp) and M = axRep(A^). To show that {M, C) G |iA(if)lpj 
we need to show that C G V^. Let a = rank{\ulp). Case t^C^^) of: 

• {ui, U2}. Suppose that Ihp C = |ui]p V C = |ii2|p. Then either [ inl(iVi) A A^i Ihp 
C = [uilp or A'" J, inr(A^i) A A''i Ihp C = \u2\p. By Lemma [6.16[ in the former case 
C G V^^ , in the latter C e V^. so C e V^ , 

• P{u). Suppose that A^ Ihp Vd. d G C ^ d G |u]p. Then A^ [ Xa. Ni and for any 
t, VP>. A^i[a := t] Ihp P» G C ^ P> G Hp, so VP>,t. Afi[a := t] i Xx. N2 and for 
all O, if O Ih P> G C then N2[x := O] Ihp D G {ujp. Take any {v,B) G C. Then 
inRep([a, (u,eqRefl a)]) Ihp P G C, so A'2[a; := inRep([a, (f,eqRefl a)]] Ihp B G lujp. Thus 
by Lemma [6.161 anv such B is in V^, so C G V^_^_i. 

• U u. Suppose A^ Ihp 3c. c G |u]p A C G c. Then A^ | [i, A''i] and there is B such that 
A^i Ihp B G Hp A C G P. Thus A^i [ {Ni,N2), Ni Ihp P G Hp, Ar2 Ihp C7 G P. By 
Lemma [6T6l any such P is in V^, so also C G V^^. 
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• ^0(a,/)(^'^)- Suppose N WpC e Hp A ^{C, Hp). Then N [ {Ni,N2) and Ni Ih^ C G 
Hp- ThusCey^V 

> > 

• -^,^(a,/)(^'^)- Suppose iV Ihp (Vx e Hp3!?/. (f>{x,y, Hp)) A3x G Hp- H^^C, Hp)- Then 

iV i {Ni,N2) and iVs Ihp 3a; G Hp- </'(^,C,H^). Thus TVa j [t,iV2o], iV20 i (A^2i,iV22) 

> 

and there is B such that A^2i B G Hp ^iid -^22 Ihp i;^(-B, C, Hp)- We also have 

Ni Ihp Vx G Hp3!y- Hp), so iVi i Aa. A^n and for all C, Nu j Ax. O and 

for all P Ihp C G Hp' 0[x := P] Ihp 3ly. (/)(C,y,H^). So taking C7 = S and P = 
A^2i, there is D such that iVi j Aa. iVn, A^n j Ax. O and 0[x := N21] i [s,Oi] and 

Oi Ihp (/.(P,Z),H^) A Ve. (/.(P,e,[Mj) ^ e = £>. Therefore (iVi, (iVsi, P)) G G from 
the definition of 7, so there is D G such that A''i [ Aa. A'"!!, A^n J, Ax.O, 0[x := 

A^2i] i [s,Oi] and Oi Ihp 0(5, P», H^) A Ve. (A(P,e,H;!) ^ e = I?. So d j (Oii,Oi2) 

> 

and O12 Ihp Ve. (/)(P,e, Hp) ^ e = D. Therefore, O12 i Aa. Q, Q i Ax. Qi and 

Qi[x := iV22] Ihp C = D. By Lemma EISl C G V^^. 
Now we tackle w. For the left-to-right direction, obviously M = infRep(A^). For the claim 
about N we proceed by induction on the definition of to': 

• The base case. Then N [ inl(O) and O Ihp A = 0, so Ihp ^ = V 3y G uj'. A = S{y). 

• Inductive step. Then A^ j inr(Ari), A^i I [t,0], O j {M',P), {M',B) G cj'+, P Ihp A = 
S{B). Therefore, there is C (namely B) such that M' Ihp C & uj' and P Ihp ^ = S{C). 
Thus [t, O] Ihp 3y. y £uo' ^A = S{y), so A^ Ihp A = V 3y G w'. A = S{y). 

For the right-to-left direction, suppose A^ Ihp A = V {3y. y ^ uj' A A = S{y)). Then either 
A^ I inl(A''i) or A^ 1 inr(A^i). In the former case, A''i Ihp ^ = 0, so by Lemma [6. 161 A G V^. 
In the latter, A^i Ihp 3y. y e lo' A A = S{y). Thus A^i j [t,0] and there is B such that 
O Ihp P G w' A ^ = S{B). So O i {M',P), (M',P) G cj'+ and P Ihp ^ = S{B). This is 
exactly the inductive step of the definition of to', so it remains to show that A G V^. Since 
{M',B) G uj'~^, there is a finite ordinal a such that B G V^. By LemmaE231 A G so 
also A G and we get the claim. 

Finally, we take care of Vi. We first show the left-to-right direction. Suppose (M, A) G 
Ui, then M = inaciRep(A^). We must have A^ Ihp (l)\{A, Ui^^) A Vd. (j)i{d) ^ A £ d for some 
ordinal 7. Then A^ j (A^i, Af2), A^i Ihp (/>*i(^, tA^,^), A^2 Ihp Vd. 0i(d) ^ yl G d. Corollary EM] 
gives us A''i Ihp (t)\{A, Vi), so A^ Ihp (l)\{A, Vi) A Vd. </>2((i) A e d, which is what we want. 

For the right-to-left direction, suppose A^ Ihp (f)\{C, Vi) A Vd. (plid) C e d. We need 
to show that (inaciRep(N), C) G Ui. By the definition of Ui it suffices to show that C G 1^-. 
We have A^ j (A^i,Af2) and A^i Ihp "C is equal to V-i or there is A e V such that C 
is a powerset/union/member of A, or C is a function from A into Vi" . The proof splits 
into corresponding five cases. The first four are easy to prove using Lemma 16.161 and the 
definition of the ordinal 7 in the clause [5] in the definition of realizability. The last one 
follows by Lemma 16.271 □ 

7. Normalization 

In this section, environments p are finite partial functions mapping propositional vari- 
ables to terms of XZ^^ and first-order variables to pairs {t,A), where t & T and A ^V^. 
Therefore, p : Var U FVar — > U (T x V^), where Var denotes the set of propositional 
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variables and FVar denotes the set of first-order variables. Note that any p can be used as 
a realizability environment by considering only the mapping of first-order variables to V^. 
Therefore we will be using the notation \\-p also for these environments p. 

Definition 7.1. For a sequent T \- M : (j), p \= T \- M : cj) means that p is defined on 
FV{T, M, i;^) and for all (xj, G F, p{xi) Ihp (pi. 

Note that if p |= F h M : 0, then for any term t in F, (j), is defined and so is the 
realizability relation M \\-p (p. 

Definition 7.2. For a sequent F h M : if /? ^ F h M : (/> then M[p] is M[xi := 
p{xi),...,Xn := /o(x„),ai := pT(ai), • • •, flfc := PT^ak)], where FV{M) = {xi,...,Xn}, 
FVf{M) = {ai, . . ., Ofc} and pT denotes the restriction of p to the mapping from first-order 
variables into terms: pT = £ FVar. 7ri(p(a)). 

Lemma 7.3. M[p][x := N] = M[p[x := N]]. Also M[p][a := t] = M[p[a := {t,A)]]. 

Proof. Straightforward structural induction on M. □ 

Theorem 7.4 (Normalization). IfT\- M : § then for all p ^ T \- M : i9, M[p] Ihp i?. 

Proof. For any XZ^j term M, M' in the proof denotes We proceed by metalevel 

induction on F h M : t?. Case F h M : i? of: 



T,x : (p \- x : (j) 
Then M' = p{x) and the claim follows. 

M -.(p^Tp N -.(j) 
Th M N -.Tp 

By the inductive hypothesis, M' \\-p (p ^ ip and N' Ihp (p. Lemma 16.151 gives the claim. 

T,x : (ph M :ip 
r h Xx : (p. M : (p xp 
We need to show that for any N Ihp (p, M'[x := N] Ihp ip. Take any such N. Let 
p' = p[x := N]. Then p' ^ F, x : (/> h M : ^, so by the inductive hypothesis M[p'] Ihp/ ^. 
By Lemma O M[p'] = M[p][x := N] = M'[x := N], so M'[x := N] Ihp/ tp. Since p' 
agrees with p on logic variables, by Lemma 16.141 we get M'[x := N] Ihp tp. 

F h M : _L 
F h magic (M) : (p 

By the inductive hypothesis, M' Ihp _L, which is not the case, so anything holds, in 
particular magic(M') Ihp (p. 

F h M : A ^ 
F h fst(M) : (p 

By the inductive hypothesis, M' Ihp (p f\ip, so M' [ {Mi,M2) and Mi Ihp (p. Therefore 
fst(Af) ^* fst((Mi,M2)) Ml. Lemma [6T3] gives the claim. 

Fh M :(pAip 
F h snd(M) : ip 

Symmetric to the previous case. 
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rh{M,N):(j)Aij 

All we need to show is M' Ihp (f> and N' Ihp ip, which we get from the inductive hypothesis. 

rh M -.6 



r h inl(M) : V ^ 

We need to show that M' Ihp (p, which we get from the inductive hypothesis. 

Th M :ip 



r h inr(M) : (pyip 

Symmetric to the previous case. 

rhM:0VV^ r,x : N -.i} r,x : h O : 
r h case(M, x : (p. N,x : tp. O) : ^ 
By the inductive hypothesis, M' Ihp <p\/ ip. Therefore either M' [ inl(Mi) and Mi Ihp (p or 
M' [ inr(Af2) and M2 Ihp ip. We only treat the former case, the latter is symmetric. Since 
p[x := Ml] Ihp r, X : (/) h : by the inductive hypothesis we get N[p[x := Mi]] Ihp -d. 
We also have case(M, x.A^, x.O) ^* case(inl(Mi), x.A^, x.O) — > N[x := Mi]. By Lemma 
17.31 N[x := Ml] = N[p[x := Mi]], so Lemma [6.131 gives us the claim. 

r h M : (/. 



r h Aa. M : Va. cp 

By the inductive hypothesis, for all p \= T \- M : <p, M[p] Ih (p. We need to show that for 
all p 1= r h Aa. M : Va. (p, (Aa. M)[p] Ihp Va. (p>- This is equivalent to Aa. M[p] Ihp Va. (p. 
Take any such p. We need to show that ^A, t. M[p][a := t] Ihp (p[a := A]. Take any A and 
t. Since p[a := {t,A)] \= T \- M : cp and by LemmaO M[p][a := t] = M[p[a := {t,A)]], 
we get the claim by the inductive hypothesis. 

Th M -.Va. <p 



T\- M t:(p[a := t] 

By the inductive hypothesis, M' Ihp Va. (p, so M' J, Aa. and V^, u. N[a := u] Ihp (/)[a := 
A]. In particular A^[a := t[p]] Ihp (/)[a := {tjp]. By Lemma EJH Af[a := t[p]] Ihp (/-[a := t]. 
Since M' (i[p]) ^* (Aa. A^) t[p] N[a := t[p]], Lemma [6T3 gives us the claim. 

Th M :(p[a:= t] 
r h [t, M] : 3a. (p 

By the inductive hypothesis, M' Ihp (p[a := t], so by Lemma [6.1H M' Ihp (p[a := {tip]. 
Thus, there is a lambda-name A, namely |t]p, such that M' Ihp (p[a := A]. Thus, 
[t, M][p] = [t[/9],M'] Ihp 3a. (p which is what we want. 

rhM:3a.(p r,x : cph N : tp 



r h let [a, X : (p] := M in N : Ip 



Let /3 1= r h let [a, X : (^] := M in A^ : We need to show let [a, x : (/>] := M in N\p\ = 
let [a,x] := M' in Nip] Ihp ^/;. By the inductive hypothesis, M' Ihp 3a. cp, so M' [ 
[t, Ml] and for some A, Mi Ihp (p[a := A]. By the inductive hypothesis again, for any 
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^ r,a; : (/) h iV : we have N[p'] Ihp/ Take p' = p[x := Mi, a := {t,A)]. Since 
a ^ FV{i)), by Lemma EH iV[p'] Ihp ^/;. Now, let [a,x : <f>] := M' in N[p] ^* let [a,x] := 
[t,Mi] in ]V[p] ^ N[p][a := := Mi] = N[p']. Lemma [633 gives us the claim. 

T\- M -.Vd. {d t ^ d e u) A {d ei u ^ d e t) 
T h eqRep(t, u, M) : t = u 

By the inductive hypothesis, M' \\-p Vd. {d t ^ d ^ u) A {d u ^ d ^ t) . By Lemma 
[67m M' Ihp Vd. (d G/ |t]p ^ d € Hp) A (d G/ Hp ^ d G It]p). By Lemma [6l71 
eqRep(M') Ihp [t]p = |u]p. Lemma [6.111 applied again gives us the claim. 

r h M : t = n 

r h eqProp(t, u, M) : yd. {d t ^ d e u) A {d ei u ^ d e t) 

By the inductive hypothesis, M' Ihp t = u. By Lemma 16.111 M' Ihp [t]p = {ujp. By 
Lemma [Ha M' j eqRep(iV) and N Ihp Vd. {d G/ |t]p ^ d G Hp) A {d G/ Hp ^ d G 
|t]p). Since eqProp(t, n, M) = eqProp(M') — >* eqProp(eqRep(A^)) — > A^, by Lemma [6. 131 
eqProp(t, u, M) Ihp Vd. (d G/ [t|p ^ d G Hp) ^ (d G/ Hp ^ d e {tjp). Lemma [lH] 
applied once again gives us the claim. 

For inProp and inRep, the proof is similar to the two previous cases. 

r h M : (/>A(t,u) 
r h axRep(t, u,M) -.t G/ tA{u) 
By the inductive hypothesis, M' Ihp (pA{t,u). By Lemma [6. Ill this is equivalent to M' Ihp 

0a(Mp,H!). By Lemma [631] (axRep(M'),Wp) € ltA{u)}p, so axRep(MO Ihp t G/ 
tA{u). 

r h M : t G/ tA(n) 
r h axProp(t, u, M) : (j)A{t, u) 
By the inductive hypothesis, M' Ihp t G/ tA(^?)- This means that M' J, v and (t', |t]p) G 
|tyl(?7)]p. By Lemma [OD u = axRep(A^) and N Ihp (/.^(Wp, H^). By Lemma [6Tll 
Ihp (^yi(t,ii)- Moreover, axProp(t, n, M) = axProp(M') ^* axProp(axRep(iV)) ^ iV. 
Lemma [6.131 gives us the claim. 

r h M : Vc. (V6. 6 G/ c ^ (/>(6, i)) ^ (/>(c, t) 
r h ind(M, t) : Va. (/>(a, t) 
Since ind(M') reduces to Ac. M' c {Xb. Xx. ind(M') b), by Lemma [6.131 it suffices to 
show that for ah C,t, M' t {Xb. Xx. ind(M') b) Ihp (t){C,i). We proceed by induction 
on A-rank of C. Take any C,t. By the inductive hypothesis, M' Ihp Vc. (V6. b £j c ^ 
4>{b,i)) (t){c,l), so M' i Ac. N and N[c := t] Ihp Mb. b (^j C ^ By Lemma 

I6.15[ it suffices to show that A5. Ax. ind(M') 5 Ihp Mb. b C ^ cl){b,i). Take any B,u, 
O I'Tp B £i C, we need to show that ind(M')[x := O] u Ihp As x ^ FV{M'), 

it suffices to show that ind(M') u Ihp (j){B,t), which, by Lemma 16.131 is equivalent to 
M' u {Xb. Xx. ind(M') b) Ihp (l){B,i). As O Ihp B G/ C, the A-rank of B is less than the 
A-rank of C and we get the claim by the inductive hypothesis. □ 
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Corollary 7.5 (Normalization). If\-M: (/), then M |. 

Proof. Take p mapping all free propositional variables of M to themselves and all free first- 
order variables a of M to (a,0). Then p \=\- M : (p. By Theorem 17.41 M[p] normalizes. By 
the definition of p, M[p] = M. By Lemma |6.H Af normalizes. □ 

As the reduction system is deterministic, the distinction between strong and weak nor- 
malization does not exist. If the reduction system is extended to allow reductions anywhere 
inside the term, the Corollary 17.51 shows only weak normalization. The counterexamples 
from |Moc06a] adapted to XZ^^ show that IZF/j^ does not strongly normalize and that 
non-well-founded version does not normalize at all. 

Our method of carrying the normalization proof is very different from the standard 
approach, based on Girard's method of candidates |GTL89j . As the candidates method is 
usually used to show strong normalization of formal systems, it is unclear if it could be 
applied to IZF^^, given that it does not strongly normalize. Although it might be possible 
to restate the realizability relation in terms closer to the candidates method, we believe our 
account is easier to understand and closer to its roots |McC84j . We will show how to apply 
our method to show normalization of several weaker systems in the forthcoming |Moc07j . 

The normalization theorem immediately provides the standard properties of construc- 
tive set theories — the disjunction property, the term existence property, the set existence 
property and the numerical existence property. Proofs are the same as in [Moc06a] ; we only 
show the proofs of TEP and SEP. 

Corollary 7.6 (Term Existence Property). If IZFu^jh 3x. (t){x), then there is a term t such 
that IZFr^V- (p{t). 

Proof. By the Curry-Howard isomorphism, there is a XZi^-teim M such that h M : 3x. (p. 
By Corollarv 15.81 M [ v and h v : 3x. (j). By Canonical Forms, there is a pair [t, A^] such 
that h N : (j){t). Therefore, by the Curry-Howard isomorphism, YLF^jJr (f>{t). □ 

Corollary 7.7 (Set Existence Property). If IZFfi^\- 3x. (/>(x) and (j) is term-free, then there 
is a term-free formula 'il){x) such that IZFfiuj\~ 3!x. (^{x) A 'ip{x). 

Proof. By the previous corollary we have IZF^i^h (j){t) for some term t. Moreover, for 
any IZF^j term s, there is a term-free defining formula ips{x) such that IZF/jt^h '4^s{s) A 
3\x. ipsix)- Therefore IZFr^I- 3lx. 4>{x) A iptix). □ 

In |CM06| we have shown how to use DP, NEP and TEP for the purpose of program 
extraction. Thus our results establish IZF/j^ as a valid basis for a prover based on set theory 
with inaccessibles with the capability of program extraction from constructive proofs. 

8. Related work 

Several normalization results for impredicative constructive set theories much weaker 
than IZF exist. Bailin |Bai88j proved strong normalization of a constructive set theory 
without the induction and replacement axioms. Miquel interpreted a theory of similar 
strength in a PTS (Pure Type System) |Miq04| , where he also showed strong normalization 
of the calculus. This result was later extended — Dowek and Miquel |DM06j interpreted 
a version of constructive Zermelo set theory in a strongly normalizing deduction-modulo 
system. 
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In |Miq03| , Miquel interpreted IZFc without the €-induction axiom in a strongly- 
normahzing lambda calculus with types based on Fuj.2. It is unclear if Miquel's techniques 
could be used to prove any of DP, NEP, SEP and TEP for the theory or to provide inter- 
pretations of ECC or CIC. 

Krivine |LK01j defined realizability using lambda calculus for classical set theory con- 
servative over ZF. The types for the calculus were defined. However, it seems to this author 
that the types correspond to truth in the realizability model rather than to provable state- 
ments in the theory. Moreover, the calculus does not even weakly normalize. 

The standard metamathematical properties of theories related to IZF are well inves- 
tigated. Myhih |Myh73| showed DP, NEP, SEP and TEP for IZF with Replacement and 
non-recursive list of set terms. Friedman and Scedrov |FS83j showed SEP and TEP for 
an extension of that theory with countable choice axioms. Recently DP and NEP were 
shown for IZF with Collection extended with various choice principles by Rathjen |Rat06j . 
However, the technique does not seem to be strong enough to provide TEP and SEP. 

Powerful large set axioms (including the existence of class-many inaccessibles) were 
added to IZF with Collection by Friedman and Scedrov |FS84j . The notion of an inaccessible 
set they use differs from ours, as their inaccessibles must also model the Collection axiom. 
We do not know if these two notions coincide. Both DP and NEP was shown for the resulting 
theories, but we do not think that SEP and TEP could be proved with their technique. 

Inaccessible sets were also investigated in the context of weaker, predicative CZF (Con- 
structive Zermelo-Fraenkel) . Crosilla and Rathjen |CR02j showed that the power of in- 
accessible set axioms might be closely linked to the G-induction axiom. They proved that 
inaccessible sets added to CZF with €-induction taken away do not add any proof-theoretical 
power. 
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